SAML authentication has to be enabled for the different web applications. This can be done by uncommenting the respective endpoint in securityContext.xml and also edit saml.enabled in customproperties files of the respective applications.

In this we will be enabling SAML for Old BI Launchpad BOE/BI

Changes in securityContext.xml file

In the securityContext.xml under<BOE Install Dir>\tomcat\webapps\BOE\WEB-INF , there is a section for the SAML entry endpoints.

By default, only the SAML entry endpoint for Classic BI Launchpad is enabled.

2. SAML Authentication can also be enabled for other applications Opendocument, Fiori Launchpad by uncommenting <security:intercept line of that particular application.

3. Also in case SAML authentication has to be enabled only for one application ex – BI Launchpad alone, the <security:intercept-url pattern=”/BI” access=”IS_AUTHENTICATED_FULLY”/> has to been uncommented, comment the entry points for Opendocument, Fiori Launchpad

Changes in BILaunchpad.properties

Create BILaunchpad.properties file in the <BOE Install Dir> \SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom assuming custom properties file does not exist. If it is already does, only need to add the property saml.enabled=true

Configurations in the deployment descriptor – web.xml

Enabling SAML in the SP configuration

Activate the SAML context configuration

a.Open the <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\web.xml file in a text editor.

b.Remove the lines (<!—and –>) that comment out the contents of the START SAML / END SAML comments.

A new filter has been introduced for SAML, the relevant section in the web.xml will be kept commented by default.

Enabling filters in web.xml of BOE webapps by uncommenting the SAML sections.

In Case if BOE is deployed on a Linux machine (non -windows) the path separators in file path to the idp metadata under the bean FilesystemMetadataProvider should be changed in securityContext.xml under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF.

i.e <value type=”java.io.File”>/WEB-INF/idp-meta-downloaded.xml</value> has to be changed to <value type=”java.io.File”>\WEB-INF\idp-meta-downloaded.xml</value> for Linux

aliasname – certificate alias name, Password -password of your choice, numberofdays – number of the days during which the self-signed certificate is valid, sampletestKeystore.jks is name of the keystore file.

The generated keystore file has to be copied from bin folder and pasted under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF and the references of the new aliasname, Password, keyStore file name has to be changed in securityContext.xml file

The first argument (sampleKeystore.jks) points to the used key store file,
second contains password (Password1) for the keystore which you enter in command prompt after entering the keystore generation command,
third then map with passwords for private keys with alias-password value pairs(Password1). Alias of the default certificate is the last parameter.(Testkey).

Note: SP metadata has to be generated everytime this keystore file is changed.

After making all the above changes, Restart tomcat.

Configure Trusted Authentication for Tomcat with Web session

Add the global.properties file under <BOE Install Dir>\tomcat\webapps\BOE\WEB-INF\config\custom and make the below changes

sso.enabled=true

trusted.auth.shared.secret=MySecret

trusted.auth.user.param=MyUser

trusted.auth.user.retrieval=WEB_SESSION

Goto CMC –> Authentication –> Enterprise

Enable Trusted Auhentication

Set validity and download the shared secret key TrustedPrincipal.conf

Click Save, and save the TrustedPrincipal.conf file to the following directories:

<INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\

<INSTALLDIR>\SAP BusinessObjects Enterprise XI 4.0\win32_x86\

Create the IDP user in BOE

The IDP user has to be created in BOE or imported through some SDK script or export using CSV option in CMC.

The SAML based authentication relies on TrustedAuth from the web-server to the CMS. For this, the IDP users will have to be created in BOE as Enterprise users.

User will be redirected to IDP login page for authentication. Enter the user credentials of your email id login for azure

It will get logged in automatically once credentials are validated.

IDP initiated

For accessing app using IDP initiated SSO, the following change / attribute should be added, click on Show advanced URL settings checkbox and add https://boehost:port/BOE/BI in the Sign on URL of SAP Business Intelligence

Save the configuration.

For accessing app using IDP initiated SSO, go to Apps in azure portal using below URL and click on SAP Business Intelligence

IDP SAML is supported from BI 4.2 SP05 onwards.Initially it was certified with HCP.Now Azure has also been certified.The SSO happens through trusted authentication .In sessions it will reflect as SecEnterprise

Hey Paul, this is really a great post and helpful information! Thanks much for sharing step by step process and guide for configuring Microsoft azure and the detailed guidance about SAP BI configuration. Also, the links for reference that you’ve provided in between are very much useful.